ote technical note technic
Development of an Electrical Wire Interconnect System Risk Assessment Tool
September 2006 DOT/FAA/AR-TN06/17
This document is available to the public through the National Technical Information Services (NTIS), Springfield, Virginia 22161
U.S. Department of Transportation Federal Aviation Administration
NOTICE This document is disseminated under the sponsorship of the U.S. Department of Transportation in the interest of information exchange. The United States Government assumes no liability for the contents or use thereof. The United States Government does not endorse products or manufacturers. Trade or manufacturer's names appear herein solely because they are considered essential to the objective of this report. This document does not constitute FAA certification policy. Consult your local FAA aircraft certification office as to its use.
This report is available at the Federal Aviation Administration William J. Hughes Technical Center’s Full-Text Technical Reports page: actlibrary.act.faa.gov in Adobe Acrobat portable document format (PDF).
Technical Report Documentation Page 1. Report No.
2. Government Accession No.
3. Recipient's Catalog No.
DOT/FAA/AR-TN06/17 4. Title and Subtitle
5. Report Date
September 2006 DEVELOPMENT OF AN ELECTRICAL WIRE INTERCONNECT SYSTEM RISK ASSESSMENT TOOL
6. Performing Organization Code
7. Author(s)
8. Performing Organization Report No.
W. G. Linzey, Ph.D. 9. Performing Organization Name and Address
10. Work Unit No. (TRAIS)
Lectromechanical Design Company 45000 Underwood Lane, Suite L Sterling, VA 20166
11. Contract or Grant No.
12. Sponsoring Agency Name and Address
13. Type of Report and Period Covered
U.S. Department of Transportation Federal Aviation Administration Office of Aviation Research and Development Washington, DC 20591
Technical Note 14. Sponsoring Agency Code
ANM-111
15. Supplementary Notes
The Federal Aviation Administration Airport and Aircraft Safety R&D Division COTR was Cesar Gomez. 16. Abstract
During the last decade, there has been an evolving understanding of the importance of the Electrical Wire Interconnect System (EWIS) in aircraft safety. However, there is still no agreement on how the EWIS should be analyzed in aircraft safety assessment. The Federal Aviation Administration has initiated many programs to improve the understanding of safety issues related to the EWIS. This final report documents the development of Advanced Risk Assessment Methods for Aircraft Electrical Interconnect Systems (EIS). The project was divided into four tasks to identify current EIS design and risk assessment methods, techniques, practices, and tools; develop advanced EIS risk assessment methods; develop computer-based EIS risk assessment tools; and finally assess the tools. At the conclusion of the research program, a software tool and an EWIS database was developed. The software tool contains collocation analysis, quantitative analysis, and reporting modules. The collocation analysis performs the qualitative aspects. The quantitative analysis is performed by failure matrix analysis and damage potential analysis. The bundle section report brings aspects of these analyses together and reports on the whole EWIS.
17. Key Words
18. Distribution Statement
Electrical Wiring Interconnect System, Risk assessment, Cascading failures
This document is available to the public through the National Technical Information Service (NTIS) Springfield, Virginia 22161.
19. Security Classif. (of this report)
Unclassified Form DOT F1700.7
20. Security Classif. (of this page)
Unclassified (8-72)
Reproduction of completed page authorize
21. No. of Pages
44
22. Price
ACKNOWLEDGEMENTS Lectromec would like to thank the following persons and organizations for their time and assistance in the development of the Electrical Wire Interconnect System Risk Analysis Tool™: Cessna Aircraft Company, Advent Engineering, Bruce Bernstein, Steve Blazo, Jim Shaw, AirTran Airways, Consolidated Edison, Avionics Support Group, TIMCO, US Airways, MidCoast Aviation, John Strout, and Brett Portwood (Federal Aviation Administration).
iii/iv
TABLE OF CONTENTS Page EXECUTIVE SUMMARY
ix
INTRODUCTION
1
DESCRIPTION OF TOOL
2
Overview Database for EWIS Model
2 4
The EWIS Component-Level Data Bundle Section-Level Data Zonal-Level Data Miscellaneous (Non-Level-Specific) Data The EWIS Failure and General Information Database The EWIS Component Failure Rate Data Damage Potential Data The EWIS Safety Questions From Regulation and Guidance Documents Analysis and Report Generation
4 6 9 10 11 11 13 14 14
Collocation Analysis and Report Damage Potential Analysis and Report Bundle Section Analysis and Report Failure Matrix Analysis and Report Aging Model Report OBJECTIVES
14 14 16 17 18 19
Regulation Consideration Routine and Abnormal Operation and Maintenance Functional Failures Unintended Consequences of Failure Effects of Collateral Damage to Collocated Systems and Equipment Age-Related Degradation Evaluation of Subsystem Tradeoffs or Other Control Methods Use of Aircraft Design Information Determining the Severity of the Functional and Collateral Failure Risk Analysis Tool for TC and STC Applications BETA TESTING
20 24 25 26 28 30 30 31 31 32 33
v
LIST OF FIGURES Figure 1 2 3 4 5 6 7 8 9 10 11 12 13
Page Flowchart of the EWIS RAT Wire Shown in Circuit Diagram Examples of Bundle Sections Installation Drawings of the Left Wing Showing Three Main Bundles Zone Map of an Aircraft Analysis of the SDR Database Example Report for Collocated System and Subsystems in Bundle Sections Example Report for Damage Potential in a Bundle Section Example of a Bundle Section Report EWIS Failure Collected Into an FMES and Entered Into the System Fault Tree Example of a Failure Matrix Report Example of Aging Model Report Flowchart for Proposed 14 CFR 25.1705 Advisor Materials
vi
2 6 7 8 9 12 15 15 16 17 18 19 23
LIST OF TABLES Table 1 2 3
Page Structure of EWIS Model Database Parameters Affecting EWIS Failure Rates Correspondence of the EWIS RAT Modules
vii
5 13 21
LIST OF ACRONYMS, SYMBOLS, AND ABBREVIATIONS τ λ ac ACO ARP ATA CCA CFR CMR DAR dc DER EWIS FHA FMEA FMES LRU LSSNORMWB OAM PSSA RAT RH SDR SFR SSA STC TC
Exposure time for which the probability of failure is defined or evaluated. Failure rate Alternating current Aircraft Certification Office Aviation Recommended Practice Air Transport Association Common cause analysis Code of Federal Regulations Certification maintenance requirements Designated Airworthiness Representative Direct current Designated Engineering Representative Electrical Wire Interconnect System Functional hazard assessment Failure modes and effective analysis Failure modes and effect summary Line replacement unit Loss of normal wheel breaking Original aircraft manufacturer Preliminary safety analysis Risk Assessment Tool Right hand Service Difficulty Reports Special Federal Aviation Regulation System safety analysis Supplemental Type Certificate Type Certificate
viii
EXECUTIVE SUMMARY During the last decade, there has been an evolving understanding of the importance of the Electrical Wire Interconnect System (EWIS) in aircraft safety. However, there is still no agreement on how the EWIS should be analyzed in aircraft safety assessment. The physical failure of wiring has caused damage to other aircraft systems and has ignited flammable material in close proximity to wiring. It is known that wiring malfunctions have contributed to turn backs and in-flight diversions. Some of these have involved declared emergencies, and in rare but tragic instances, wiring malfunctions have progressed to the loss of aircraft. Today there is an increasing effort to find potential failures and avoid them during design or fix them during periodic, in-service inspections to prevent problems from worsening. Wire failure prevention is proven to be a fraction of considerable cost for repair. While the EWIS is receiving greater attention, wiring still has not been fully considered part of an overall reliability analysis. However, a risk analysis tool (EWIS Risk Assessment Tool™) has been developed that facilitates just this function, permitting a more realistic evaluation of the in-service performance and reliability of a particular wiring layout. This report documents efforts to develop advanced risk assessment methods for aircraft Electrical Interconnect Systems. For an EWIS risk assessment tool to be effective, it must contain a EWIS database where the relevant parameters of wires, the systems they support, bundles, and zones are brought together. Users of the tool must be able to integrate the results of the EWIS analysis with the overall aircraft safety analysis. This allows measurement of the importance of an EWIS failure, in terms of both severity and probability of effect, with respect to the continued safe operation of an aircraft. A qualitative analysis is an effective tool for analyzing the EWIS complexity. The tool should promote a robust common cause analysis that examines the whole EWIS at one time. In addition to the qualitative analysis, there should be a quantitative analysis with a failure rate number based on historical data, laboratory experiments, and expert judgment. A reporting type tool module that produces reports that can be directly integrated into the safety analysis required by regulations (Title 14 Code of Federal Regulations (CFR) 25.1309 and the proposed 14 CFR 25.1705). The risk assessment tool was developed that included a EWIS database and software type tool. The tool performs a collocation analysis to perform the qualitative aspects of the EWIS. It also performs a quantitative analysis using a failure matrix analysis and a damage potential analysis. Finally the bundle section report module brings aspects of these analyses together and reports on the whole EWIS. However, additional work needs to be done on the quantitative parts of the tool to improve its validity. Methods such as paired comparison with expert opinion are being refined to incorporate incomplete historical data for both new design and aging aircraft.
ix/x
INTRODUCTION There are several issues relating to Electrical Wire Interconnect System (EWIS) safety that are quite important. Some of these are not new and have been discussed before, but they are repeated here for completeness. The EWIS in aircraft is quite complex. Typical aircraft have from 10 to 100 of miles of wire installed such that wire from one system is often collocated with wire from many other systems. For example, in a business jet Title 14 Code of Federal Regulations (CFR) Part 25 airplane, the wiring from the right-hand (RH) wing anti-ice system is collocated with the wiring from 42 of the 59 named systems in the airplane. Detailed inspections of in-service wiring show that problems are common to both large and small transport aircraft. The problems include inadvertent damage during maintenance, such as using wire bundles as ladder rungs, stepping on and damaging wiring hidden under insulation blankets, inadequate support clamping, and improper installation that can aggravate chafing and the potential for dangerous arcing. Moreover, today’s jet aircraft rely even more on sophisticated electrical and computer systems, placing a premium on the reliability of wiring, power feeder cables, connectors, and circuit protection devices. Wiring is now seen as vital to systems that support an aircraft-level function, and wiring must be designed, modified, monitored, and maintained as such. The EWIS is an important separate system, as important as hydraulic, pneumatic, structural, and other systems. The physical failure of wiring has caused damage to other aircraft systems and has ignited flammable material in close proximity to wiring. Although there are gaps in the existing database of wiring-related problems, it is known that wiring malfunctions have contributed to turn backs and in-flight diversions. Some of these have involved declared emergencies, and in rare but tragic instances, wiring malfunctions have progressed to the loss of aircraft. A proactive program of wiring inspection, pre-emptive repair, and where necessary, selective wire replacement can save enormous time and money. Unscheduled maintenance is the most expensive and disruptive kind, which can cost twice as much or more than a planned maintenance. Moreover, operators with defined programs of wiring maintenance have demonstrated that the programs are not only cost-effective, they contribute to increased safety and reliability—one measure of which takes the form of improved dispatch rates. Currently, there is an increasing effort to find potential failures and avoid them during design or fix them during periodic, in-service inspections to prevent problems from worsening. Wire failure prevention is proven to be a fraction of considerable cost for repair. While the EWIS is receiving greater attention, wiring still has not been fully considered part of an overall reliability analysis. However, a risk analysis tool (EWIS Risk Assessment Tool (RAT™)) has been developed that facilitates just this function, permitting a more realistic evaluation of the inservice performance and reliability of a particular wiring layout. The goal of a wiring system safety analysis tool is to prevent a bundle-level failure. In addition, should a bundle failure occur while the aircraft is in service, the system should be designed in such a way that its progression to an aircraft-level failure is minimized. The intervention during
1
design is to minimize the cost of failure in service, and the attendant burden of unscheduled maintenance on dispatch reliability while maximizing the airplane’s in-flight safety. DESCRIPTION OF TOOL OVERVIEW. The EWIS RAT itself is made up of two databases and an analysis and report generator module. Both the Database for EWIS Model and the EWIS Failure and General Information Database feed the analysis and report generator module, which produces a series of reports. Figure 1 shows a flowchart of the EWIS RAT.
FIGURE 1. FLOWCHART OF THE EWIS RAT In the Database for the EWIS Model, the EWIS for a particular aircraft is described. The EWIS is described at three levels: the EWIS component level, the bundle section level, and the zonal level. Different sets of aircraft data such as EWIS components, bundle section, and zone information are integrated to define the EWIS structure, how EWIS failures affect system
2
function, and the environmental and operational conditions that EWIS experiences. The user enters the data for a particular application. The Database for EWIS Failure and General Information contains the general information that is applicable to any EWIS safety analysis. This includes EWIS component failure rates for the various failure modes under different conditions and damage-level tables for arcing wire. General information such as Air Transportation Association (ATA) system codes and connector pin nearest neighbor information are found in this database. In addition, this database contains a table of query instructions based on specific regulations to determine if the EWIS conforms to the regulations. This database was developed during this project and, in general, will not change from application to application. This database has a version number and can be updated by the developers when better information becomes available. After the EWIS Model data has been entered into the database, the user can select the analysis to be performed. Different types of analysis are designed to meet different aspects of the safety analysis, producing an electronic report. The following describes the various analyses and reports that may be generated: •
Collocation reports—Several different collocation analyses are available. Collocation reports analyses of systems, subsystems, failure effects, etc., can be generated at the bundle or zonal level. In general, they are meant to be used during development of the EWIS, whereas the bundle section report will be used as certification documentation. When performing the common mode analysis, the failure effect collocation report can be used to show independence of certain basic events, at least in terms of EWIS.
•
Damage potential report—This analysis calculates the amount of damage that can result from an arcing or arc-tracking event in the bundle. Key bundle variables include number and gauge of power wires, circuit protection, voltage, and wire insulation type. Damage includes potential damage to the bundle itself, adjacent bundles, adjacent equipment, structures, and flammable material. The potential damage should be considered in the particular risk and zonal analysis, and depending on the analysis, could require separation, segregation, or other mitigation techniques.
•
Bundle section report—This report constitutes the integration of the damage potential, collocation reports, and specific EWIS separation and safety issues. Each bundle section is analyzed, and a risk analysis is done on the entire EWIS system. This report documents the physical failure analysis called for in the proposed 14 CFR 25.1705 and the common mode analysis of the functional failures.
•
Matrix report—This report generates a list of all basic events from the individual system fault trees and the probability that those basic events will occur due to EWIS failure. These basic events can be placed into the system fault trees to obtain more accurate system reliability numbers. This report is meant to satisfy proposed 14 CFR 25.1705, which requires that the effects of EWIS on the functional failure of the aircraft systems be included. With the addition of the EWIS failures, the system fault tree will delineate how, and the probability, the EWIS failure can result in aircraft-level hazards.
3
•
Aging model report—This report analysis models the effect for different environments on the rate of EWIS failure with the passage time and, therefore, the probability of basic events. If these probabilities are used in the system fault trees, then the reduction of system reliability due to EWIS failure can be calculated as a function of aircraft age.
These reports can be used to expedite and simplify the safety analysis called for by 14 CFR 25.1309, further delineated in Aviation Recommended Practice (ARP) 4761, and further defined in proposed 14 CFR 25.1705. DATABASE FOR EWIS MODEL. The Database for EWIS Model is broken into three levels: EWIS component page (wire, cable), bundle section page, and zone information page, as shown in figure 1. Once a wire is fully defined, it is placed in the appropriate bundle section. All the properties of that wire are now related to those bundle sections. As more wires are added to the bundle sections and the bundle routing data is added, the bundle sections become fully defined. The bundle sections are then placed in zones. All the wire and bundle data from that bundle section are now related to a specific zone. Once operational, environment, and equipment data are added to the bundle section data, the zone is fully defined. Table 1 shows the data required for the three levels. Also indicated in the table are miscellaneous data that is not strictly associated with any of the three levels. THE EWIS COMPONENT-LEVEL DATA. The EWIS component data are the building blocks of the EWIS system. For the purposes of this database, a wire is defined as any conductor that is routed from one point of termination to another. Each wire is identified by a wire identification that is generally found in circuit diagrams and also written on the wire itself or sleeve in which the wire is contained. Figure 2 shows an example of a wire taken from a circuit diagram. Systems and subsystems are associated with each wire. Wire characteristics for individual wires include wire gauge, insulation, and conductor type. There are three options available to the user for the power classification of wire: power, ground (or low impedance), or signal (or high impendence). The classification is determined by the user and is based on the normal operation of the wire. Special wire characteristics include such functions as fly-by-wire, fire protection, and Special Federal Aviation Regulation (SFAR) 88-related wire. In defining a wire, the user must characterize the failure effects for the different failure modes that will occur on the system. The three levels of effect that can be entered for the wire are (1) EWIS or functional fault—considered the lowest-level fault, (2) local fault or basic event— commonly linked to a fault tree, and (3) the higher-level effect, which is used for grouping related faults.
4
TABLE 1. STRUCTURE OF EWIS MODEL DATABASE EWIS Model Level EWIS Components (Wire) Level
Bundle Section Level
Data Group Wire/connector
Multiwire cable Circuit protection Bundle sections Within 6″ region
Zonal Level
Miscellaneous (Non-levelspecific)
Subzone
Zone System/subsystem Connector and splice Electrical and nonelectrical equipment Failure effect
Generator/power source and electric bus General aircraft information
Required Data Elements Wire ID, system, subsystem, wire connection data, wire physical, characteristics, power characteristic, special wire information, circuit protection, failure effect for different failure modes Cable ID, constituent wire, shielding/jacket Cir. Prop. ID, type, rating, electric bus (connected to) Bundle Section ID, constituent wire/cable, length, curvature, bundle section interface, bundle type Adjacent Bundle Sections, adjacent electrical and nonelectrical devices, other adjacent installations (hydraulic lines, etc.) Subzone ID, contained bundle sections, contained electrical and nonelectrical devices and installations, environmental conditions, special zonal designations (e.g., fire zone, etc.) Zone ID, description System ID (ATA), subsystem ID, redundancy, description Connector ID, connector type, Mil Spec, mating frequency, zone, splice ID, splice type Equipment ID, system, subsystem, MEL
Effect ID, scope, system, subsystem, connection to system fault tree, likely detection, detection description Source ID, bus ID, source generator, frequency (or DC), phase, magnitude Model Name, phase of flight, default tau (mission time) aircraft make model and series
5
FIGURE 2. WIRE SHOWN IN CIRCUIT DIAGRAM To ensure that a full and consistent model is developed for defining the EWIS system, both termination points of the wire are identified. This allows wires that are connected in series (i.e., through a connector) to be identified. The risk assessment tool will notify the user if there are inconsistencies in the model, for example, if a power wire is mistakenly connected directly to a ground wire. Some wire properties (i.e., voltage characteristics, effect of failure, etc.) can be inherited from previously entered wire data. The user can create multiwire cables with shield and jacket properties. The user assigns the appropriate wire to the cable while wires not assigned to a cable are assumed to be singleconductor wires. Power wires are assigned to a circuit protection. The circuit protection is defined by type, rating, and the source electrical bus. BUNDLE SECTION-LEVEL DATA. A bundle section is defined as that part of a bundle in which no wires enter or leave the bundle. Whenever two or more bundles come together to form a new bundle or one bundle separates into two bundles, a bundle intersection is formed. Further, if a bundle section is routed from one environmental zone to another, the bundle is broken into two sections. In addition, if the installation type of a bundle changes, a new section is created. For example, if the bundle type changes from an open bundle to a bundle in a conduit, a new bundle section is formed. Figure 3 shows several examples of wire installations broken into bundle sections.
6
FIGURE 3. EXAMPLES OF BUNDLE SECTIONS The bundle sections are populated with the appropriate wires and cables, as determined by bundle manufacturing tables, diagrams, and installation drawings. Other properties of the bundle section include the section length, section types, and curvature. Each bundle section has two end points that can be assigned to a connector, electrical device, power bus, or a bundle interface. A bundle interface occurs when two or more bundle sections come together. EWIS failures can occur in section interfaces, such as connectors and bundle intersections. Failures that occur on device terminals are failures of the device and are not included in the EWIS failure analysis. Figure 4 shows an installation drawing with the top bundle broken into sections. Other attributes that can be assigned to a bundle section includes items such as other bundle sections, electrical and nonelectrical equipment, and installations such as hydraulic or fuel lines that are within 6 inches of the section. Through this assignment, wires (systems) from a bundle that are related to other systems and equipment that are adjacent to but not a part of the bundle section.
7
8 FIGURE 4. INSTALLATION DRAWINGS OF THE LEFT WING SHOWING THREE MAIN BUNDLES
ZONAL-LEVEL DATA. To provide a method for locating work areas and components for maintenance purposes, original aircraft manufacturers (OAM) generally break aircraft into zones. Zones usually follow the physical barriers in the aircraft and often are further broken down into subzones. Figure 5 displays an example of zones for a small transport aircraft. Each bundle section is assigned to the zone in which it is physically located. The bundle section and all the wires in it are exposed to the attributes of the zone, such as operational, environmental, conditional, and special properties. Information describing a given zone would include operational and environmental data, installations, a list of equipment, and the line replacement unit (LRU) contained in the zone. By assigning each bundle section to a zone, the physical location of EWIS components are associated with actual locations on the aircraft, Non-EWIS components, other EWIS bundles, and environmental conditions on the aircraft.
FIGURE 5. ZONE MAP OF AN AIRCRAFT
9
A zone such as a fire zone, rotary burst zone, or the cargo area can also be assigned special properties, that must meet certain safety requirements of the regulations. For example, bundles in the cargo area must be routed so they are not a convenient handhold and will not be damaged by moving cargo. MISCELLANEOUS (NON-LEVEL-SPECIFIC) DATA. Some data do not easily fit into one of the three levels described above but are required to perform a proper risk assessment. Systems are identified using the ATA codes if possible. In some cases, especially in older aircraft, the systems are not defined in a way that is consistent with the ATA codes; in these cases, the use of OAM definitions is recommended. Subsystem identification is done by using the OAM definitions relating to the function(s) of the LRU that the wire is serving. Since not all OAMs have a well-defined method of subsystem definitions, this field may be defined to be the same as the system itself. System and subsystem redundancies are indicated. Required connector data includes type (cannon type, terminal block, and ground stud), zone, and mating frequency. The tool allows pin arrangement with nearest neighbor and next nearest neighbor data to be assigned to the connectors. In the failure matrix analysis, pin-shorting failures are more probable between neighboring pins. The electrical and nonelectrical equipment are assigned systems and subsystems so that complete collocation analysis can be performed. When EWIS failures occur, there may be functional effects on other aircraft systems. A master list of these effects are kept in the Database for EWIS Model and when analyzing the effect of a given failure mode of an EWIS component, the user will select a failure effect from the master list. Users can create a new failure effect if the appropriate failure effect does not exist in the master list. The failure effect is assigned a scope or level of detail. The first and most detailed is the EWIS or functional effect. This effect describes what occurs at the component level, but it is unlikely that this level of detail would be found in the actual system fault trees. The second more general level of detail is the basic event level. This effect should correspond to a basic event in a system fault tree. This link connects the EWIS failure analysis with the system fault trees. If the effect is not important enough to merit inclusion in a fault tree, then the local system effect is recorded and is noted that the effect is not a basic event. The third level is the higher-level effect and is used for grouping related failure effects. For each EWIS component failure mode, the user chooses three effects corresponding to each of the three different levels. Electrical buses are connected to generators (e.g., right, left, or auxiliary power unit and other sources such as ground power or batteries. Bus attributes include power characteristics such as alternating current/direct current (ac/dc) frequency, phase, and magnitude. The bus passes this information to the power wires via the circuit protection attached to the buses and assigned to the wire.
10
General model information such as aircraft make, model, and serial number(s) is entered when the model is formed. The model name and phase of flight are shown on the reports generated by the model. The mission time can be assigned the model default tau (τ). THE EWIS FAILURE AND GENERAL INFORMATION DATABASE. The EWIS Failure and General Information Database contains the data required for the different analyses performed by the tool. There are two groups of failure data within the database: (1) the EWIS Component Failure Rate Data, which is used for the Failure Matrix Analysis when calculating wire failure probabilities and (2) the damage potential data, which is used by the damage potential analysis and bundle section report when assessing the damage that an electrical arc (or arc track) could do to the bundle itself or surrounding bundles, equipment, or installations. Additional data such as instructions for queries based on the regulations used in the bundle section report are also contained in the database. THE EWIS COMPONENT FAILURE RATE DATA. The failure matrix analysis is quantitative and requires failure rates for different EWIS failure modes. The wire failure modes considered by EWIS RAT version 2.05 are shorts to structure and shorts wire-to-wire. In addition to failure mode, it is known that other parameters affect the failure rate (e.g., wire characteristics, routing, and zonal conditions). A method of determining failure rates for EWIS components in a variety of conditions is required. Historical data are one of the best sources for failure rates used for quantitative analysis. In this case, the Service Difficulty Reports (SDR) database was used as the source for EWIS failure data. Relevant reports were found using search parameters such as wire and harness and variations (e.g., wiring), and searching the SDR narratives. The searches were done for several different airplane models, operators, and periods in which corresponding FAA utilization reports were available. This allowed the total flight hours accumulated by the population to be determined during the time searched. The SDRs returned by the searches were read, and those not related to EWIS failure (e.g., pulley wire failure) were removed from the data set. Analysis of the data resulted in failure rates for opens and shorts between 2 x 10-5 and 2 x 10-4 failures per flight hour per airplane, as shown in figure 6. Using estimates of the number of feet of wire in the various airplanes, the average EWIS failure rate was determined to be between 10-9 and 10-10 failures per foot of wire per flight hour. For a 100-foot piece of wire, this corresponds to failure rate of between 10-7 and 10-8 failures per flight hour.
11
FIGURE 6. ANALYSIS RESULTS FOR THE ANALYSIS OF THE SDR DATABASE A database of EWIS failures was constructed to determine the effect of the wire characteristics, routing, and zonal condition on the historical data. The analyst used SDR records, general aviation knowledge, and his judgment to fill in the information for each of the fields if possible. Often, the analyst did not have the information required for some of the fields. The required fields for the EWIS failure database are as follows. • • • • • • • • • • • • •
Data Search Date Data search parameters Data Search Source Record ID Incident Date Aircraft make Aircraft type Aircraft Series Aircraft Serial Number Flight Hours Location of Incident Phase of Flight Number of Wires
• • • • • • • • • • • •
Element Type of Failure Age of Aircraft Wire Gauge (Exact) Wire Gauge (Approximate) Insulation Type Conductor Type Jumper Splice Bundle Type Exact/approx Operations Traffic
• • • • • • • • • • • •
Swamp Area Hydraulic Fluid Lavatory Fluid Anti-Ice Fluid Anti-Corrosion Fluid Bundle Size Related System Arcing Operator Curvature Vibration Operations Temperature
Based on the data field, one attempted to find the EWIS failure rate under different conditions. However, when the EWIS failure and general information database was reviewed, it was found that, for many of the parameters, there was not sufficient coverage of EWIS failures to make a determination of its relative importance to the failure rate. To resolve this problem, paired comparison with expert judgment was used to supplement historical data. The parameters used in the paired comparison are shown in table 2. (Note that 12
these parameters correspond to entries in the wire bundle and zonal entry pages of the EWIS RAT database.) The results of the paired comparison were used to develop a set of weighting factors for the parameters; and using historical data, a probability failure function was developed for each of the parameters. The weights were combined with the probability functions in a linear model to form a failure rate probability formula. Note that because of the lack of data, some parameters in table 2 were not represented in the formula. TABLE 2. PARAMETERS AFFECTING EWIS FAILURE RATES Insulation Type Wire gauge Conductor Jumper Splices Bundle type Curvature Ops/main. traffic Vibrations Ops. temp SWAMP area Hydraulic fluid Lavatory fluid Anti-ice fluid Anticorrosion fluid Bundle size
Polyimide, PVC, PVC Glass 14 or lower, 16 or higher Copper, high strength alloy Yes, no Yes, no Protected, open Low, medium, high Low, medium, high Low, medium, high Low, medium, high Yes, no Yes, no Yes, no Yes, no Yes, no (1,10) (11,50) (51, +)
Swamp = severe wear and moisture prone
These formulas were incorporated into the database SB 1.00 that is included in EWIS RAT version 2.05. This was an evolving process, and the EWIS Failure and General Information Database was not developed until after the SDRs in figure 6 were analyzed. The formulas in this database were developed using SDRs from a series of business transport aircraft. However, the average failure rates of these aircraft were similar to those of the larger transport aircraft. The EWIS RAT database is in the process of being updated with the larger transport aircraft SDR data. DAMAGE POTENTIAL DATA. The damage potential data is a scale that represents the amount of damage that can be caused by an arcing or arc-tracking event in a bundle section. This was estimated using relevant parameters of the power wires contained in the bundle. These parameters are: • • •
Wire voltage (magnitude, ac/dc) Wire gauge Wire insulation type
13
• •
Circuit protection (type and rating) Number of power wires
Other parameters, such as generator rating, can be incorporated in the database as relevant data becomes available. The damage potential rating ranges between 1 and 7. A damage potential rating of 1 corresponds to little damage to other wires within the bundle and adjacent structure. A damage potential of 7 corresponds to a potential for many wires within the bundle to be damaged along with structural damage and the possibility of fire ignition. THE EWIS SAFETY QUESTIONS FROM REGULATION AND GUIDANCE DOCUMENTS. The FAA and other aviation organizations have produced regulation and guidance material concerning the EWIS of special circumstances. For example, in the separation requirement of proposed 14 CFR 25.1709, EWIS in a cargo area should be routed such that the bundles cannot be used as handholds or be damaged by cargo. A list of instructions that will cause the tool to query the Database for EWIS Model for these special circumstances is part of the EWIS Failure and General Information Database. When the special circumstances have been found in the model, the tool can alert the user to the situation and prompt the user to indicate how the regulation or recommendation has been addressed. These instructions can be updated as new regulations or guidance material becomes available. ANALYSIS AND REPORT GENERATION. COLLOCATION ANALYSIS AND REPORT. Collocation analysis is a qualitative approach to handle the issue of wires from many systems routed in the same or adjacent bundles. The scope of the collocation can be at the bundle section or zonal level. Collocation of systems, subsystems, wires, bundles, and failure effects can be identified. For example, a collocation analysis at the bundle section level for systems A and B will identify each bundle section that contains wire from both systems A and B. A second mode of analysis can identify all systems, subsystem wires, or failure effects located in one particular bundle section or zone identified by the user. This analysis does not automatically disallow certain systems and subsystems to be collocated, but provides the user with a simple report with collocated systems clearly identified. The user then must decide if the wire from one of the systems should be rerouted, or if the system can be routed together in this bundle section. An example report is shown in figure 7. In this example, ice and rain protection, lights, and powerplant wire are all collocated in bundle section C-3. DAMAGE POTENTIAL ANALYSIS AND REPORT. The damage potential can be evaluated for a given bundle, section, or zone based on the number and type of power wires that are present. The wire and circuit properties that affect the calculations are voltage, circuit protection, wire gauge, and insulation type. These data would be matched with experimental results that quantify the potential damage due to a short. Figure 8 shows a typical report for a given bundle section. A maximum damage potential of 2 (out of a possible 7) tells the user that the damage potential is relatively low. The user can then determine if there is any equipment
14
near this bundle section that could be damaged significantly. Relating the damage potential number to a level of damage in the users mind will be a significant barrier to overcome.
FIGURE 7. EXAMPLE REPORT FOR COLLOCATED SYSTEM AND SUBSYSTEMS IN BUNDLE SECTIONS
FIGURE 8. EXAMPLE REPORT FOR DAMAGE POTENTIAL IN A BUNDLE SECTION Arc tracking for certain types of insulation is another event that has the potential to cause damage to collocated systems in the aircraft. Even with a wire type susceptible to arc tracking, certain power, wire gauge, and circuit protection combinations prevent arc tracking from occurring. Arc fault protection devices improve this situation further. Arc-track data in the Failure and General Information Database is compared to what is in the bundle to develop an arc-track potential rating. 15
BUNDLE SECTION ANALYSIS AND REPORT. Bundle section reports are designed to give a full description for all of the bundle sections that have been entered into the model. In addition to providing information on the bundle damage potential and arcing potential, the contents and routing of each bundle section is examined and analyzed. The analysis of each bundle section yields lists of questions that have been developed and compiled from several wire safety and routing documents. The bundle section analysis is designed to be completely interactive, thus allowing the user to fully explain circumstances that may have risen to cause a bundle safety question to be asked. These safety questions cover a number of topics from checking if both ac and dc power wire are routed in the bundle to checking if the bundle is routed in an area with deicing fluid and if any wires in the bundle section are silver plated. An example of the bundle section report is shown in figure 9.
FIGURE 9. EXAMPLE OF A BUNDLE SECTION REPORT For each bundle section, the information is broken down into three portions. •
General bundle section information. This portion contains a full listing for the contents of the bundle section including all of the wires (if a compact report is selected, this section is omitted), systems, subsystems, local faults, or basic events found in the bundle sections. In addition, a listing of all environmental extremes of the subzone that the bundle encounters is given. There is an area at the bottom of this section that is available for any comments that the user may wish to make.
16
•
Six-inch region. This portion contains a listing of all bundle sections that have been defined as being within 6 inches of the given bundle section and all of the local faults or basic events that are found in those sections. There also is an area at the bottom of this section that is available for any comments that the user may wish to make.
•
Safety questions. This portion contains a listing of all of the potential hazards that were found during the analysis of the given bundle section. Space is available after each question for comments.
FAILURE MATRIX ANALYSIS AND REPORT. This analysis is used to calculate the probability that basic events in system fault trees occur due to EWIS failure. The failure probability is calculated for the different failure modes of each wire in the model. This is done using the λ*τ formulation where λ is the failure rate and τ is the exposure time (often the time between functional checks). The failure rates are calculated using data from the Failure and General Information Database. The failure probabilities are then grouped by the failure effect and an overall probability for each of the failure effects is calculated. This is a failure modes and effect summary (FMES), as described in ARP 4761. If a failure effect defined at the basic event level in the EWIS Model database corresponds to a basic event in the system fault trees, then the probability calculated by the Failure Matrix analysis can be used directly in that fault tree as the probability of the basic event due to EWIS failure. For example, figure 10 shows a small section of a system fault tree. System A nonfunctional is the top event for this part of the overall fault tree. The figure shows that three basic events have been identified that cause system A to be nonfunctional: EWIS failure, mechanical failure, and hydraulic failure. A failure matrix analysis will produce a probability that can be used as the probability for the system A nonfunctional due to EWIS failure. In this way, the functional effects of EWIS failure are integrated into the overall reliability of aircraft systems. Therefore, they are part of the risk calculation of probability of aircraft level event occurring. Figure 11 shows an example report from a failure matrix analysis.
FIGURE 10. EWIS FAILURE COLLECTED INTO AN FMES AND ENTERED INTO THE SYSTEM FAULT TREE
17
FIGURE 11. EXAMPLE OF A FAILURE MATRIX REPORT AGING MODEL REPORT. The aging model analysis calculates the changes in the EWIS failure probabilities as a function of time due to aging of the EWIS. It is similar to the failure matrix analysis; however, in the aging model, the EWIS failure rate is a function time. The form of the failure rate changes depend on the aging model that is used and the aging parameters chosen by the user. Figure 12 shows an example of an aging report. In this analysis, the probability of the basic event loss of normal wheel breaking (LSSNORMWB) is calculated as a function of time. A hydrolytic aging model for polyimide insulation was used with user input parameters of a average of 75% relative humidity and 25°C. For this model, the probability for LSSNORMWB begins to increase dramatically after 35 years.
18
FIGURE 12. EXAMPLE OF AGING MODEL REPORT OBJECTIVES The objective of the program was to create an appropriate technology and a tool by which that technology can be used to analyze the system safety of aircraft wiring. The development of such a risk assessment tool for aircraft electrical wiring is in its infancy, but the need stems from growing industry awareness that aircraft wiring represents the arteries, veins, and capillaries of the airplane electrical system. Note: The following items represent an understanding of the project objectives. The risk analysis tool should •
consider regulation 14 CFR 25.1309 (with related documents including ARP 4761 and proposed 14 CFR 25.1705 being considered) determines the scope of safety to which this risk assessment is oriented.
•
consider routine and abnormal operation and maintenance.
•
consider functional failure associated with random discrete events (both rare and common), taking into account all failure modes.
•
consider unintended consequences of failure, including common mode failure, cascading failure and fire due to collocated systems, and subsystems far from the point of failure.
19
•
consider effects of collateral damage to collocated systems and equipment.
•
consider age-related material degradation.
•
consider methods that facilitate evaluation of subsystem tradeoffs or other control methods being considered.
•
use aircraft design information to the greatest extent possible.
•
assist the user in determining the severity of the functional and collateral failure.
•
be useful for Type Certificate (TC) and Service Type Certification (STC) applicants, regulators, and maintenance personnel for new as well as legacy aircraft.
•
be tested using at least three beta test sites and the EWIS from a real aircraft model at least 20 years old. Key results are to be reported.
REGULATION CONSIDERATION. Guidance for showing conformity to 14 CFR 25.1309 has been given in several documents. The most significant of these are Advisory Circular 25.1309, ARP 4761, and ARP 4754. In recent years, ARP 4761 has become the bible for 14 CFR 25.1309 Safety Analysis. In accordance with these documents, a structured risk analysis is performed for the entire aircraft. The “FAA failsafe principle” is the overarching concept in the risk analysis, which is, in summary, “that no one failure should prevent continued safe flight” and “additional failures must be assumed unless they are shown to be extremely improbable.” In addition to these documents, the FAA, following ATSRAC recommendations (supported by Task Group 6), has proposed new rulemaking (14 CFR 25.1705) that will emphasize the EWIS in the safety analysis. If adopted, these rules will require that the type certificate (TC) or supplemental type certificate (STC) applicant must show specifically that EWIS has been considered in their safety analysis. The advisory material for the proposed rules follows the philosophy of ARP 4761. To show that the safety goals have been reached, the client—following ARP 4761—starts with aircraft and system (top level) functional hazard assessment (FHA) where the system failures and combinations of system failures that would prevent safe flight are defined. These system failures are then used as top-level events in a structured analysis, often using fault trees, that examines how equipment and component failure can lead to the top-level failures in the preliminary system safety assessment (PSSA). As more detail is known about the system design, failure rates for the equipment and components are introduced into the lower levels of the fault tree. These rates are found using historical data, failure modes and effect analysis (FMEA), and other means. With these failure rates and Boolean algebra, the failure probabilities of the top-level events are calculated; this is the system safety analysis (SSA). Along with the SSA, a common cause analysis (CCA) is completed to show the independence of redundant systems. This addresses the need to demonstrate that additional failures are extremely improbable.
20
The industry survey indicates that the scope of what is done in terms of EWIS in the safety analysis varies greatly from organization to organization. There is confusion on how to or even if there is a need to perform an EWIS analysis in addressing the 14 CFR 25.1309 requirements. In some cases, certain EWIS failure modes will be represented as basic events in system fault trees. Sometimes a qualitative common mode analysis is done for the loss of each individual connector. Often, the extent that the EWIS is addressed in the safety analysis depends on the analyst, designated engineering representative (DER), designated airworthiness representative (DAR), or the Airworthiness Certification Office (ACO) that reviews it. The different modules of the EWIS RAT address both the qualitative and quantitative aspects called for in ARP 4761. The software EWIS tools will prompt the user to give a methodical programmed response that will define the structure of the EWIS and the effects of different EWIS failure modes on the functioning of the airplane systems. The user will be able to generate reports that can be either directly used in the ARP 4761 analysis in the case of collocation/zonal analysis and damage potential, or integrated into system fault trees in the case of failure matrix analysis. The failure matrix analysis will produce a report where each piece of the EWIS is examined separately. The user will approve that each section of the EWIS is safe. The EWIS tool will provide a consistent interface and a defined process when performing the safety analysis. Some users may be reluctant to use the tool because it requires the user to enter EWIS data into its database. Much of the required data exists in different places (groups) within an organization. The collocation/zonal analysis does not demand a full data set. These analyses may be used to ease the user into trying the tool. Default values can be used where the user cannot determine values for certain fields. More severe than average conditions are assumed, so the resulting failure probabilities will tend to be conservative. The first column of table 3 shows the EWIS RAT analysis modules while the second column corresponds to the section of ARP 4761 or proposed 14 CFR 25.1705 that is addressed by the tools. TABLE 3. CORRESPONDENCE OF THE EWIS RAT MODULES EWIS RAT Module Collocation/Zonal Analysis
Damage Potential Failure Matrix Analysis Bundle Section Report *
ARP 4761* or Proposed 14 CFR 25.1705 Common Cause Analysis (4.4) Zonal Safety Analysis (4.4.1) Common Mode Analysis (4.4.3) Common Cause Analysis (4.4) Particular Risk Analysis (4.4.2) Support for Quantitative Fault Tree Analysis (4.1) using FMEA (4.2) and FMES (4.3) 14 CFR 25.1705
The numbers in parenthesis refer directly to sections in ARP 4761.
Figure 13 shows the flowchart developed in the advisory material for proposed 14 CFR 25.1705. Also, indicated on the figure are the functions where particular EWIS RAT modules may assist a TC
21
or STC applicant. Explanation of what EWIS RAT modules are and how they work are found in section 2. A description of the flowchart boxes are given below. •
Box A. Aircraft functional hazard assessment.
•
Box B. EWIS characteristics that include installation criteria and EWIS Components.
•
Box C. The EWIS and routing identified in box B are entered into the EWIS database for analysis using the system wire bundle and zonal entry pages of EWIS RAT.
•
Box D. The EWIS is analyzed for physical failures using the collocation and damage potential analyses. Collocation analysis can be done at the bundle, 6″ region around the bundle, or zonal level. Collocation of systems, systems failure effect, or individual wires can be done. When collocation of failure effects is performed, it considers the functional failures of the RH path of the flowchart. The EWIS common mode analysis is then complete.
•
Boxes E through H are iterative processes where mitigation strategies are introduced and their usefulness verified. Changes made for mitigation will be reflected in the EWIS database and box D analysis rerun.
•
Box I. The physical failure results as a whole are given in the bundle section report.
•
Box J. The effect of EWIS failures on the systems of the aircraft is entered as the EWIS data is input into the database. As a new failure effect is found, it is added to an effects list inside the database. If the effect is safety significant, it should be entered using the same phrasing as is employed in the system fault trees.
•
Box K. The failure matrix report identifies all EWIS failures that produce basic event level system effects under analysis.
•
Box L. After identifying the EWIS failures that produce a given system effect, the tool calculates the probability of that event occurring. This basic event and probability can be placed in the system fault trees and the need for mitigation can be assessed.
•
Boxes M through O are iterative processes in which mitigation strategies are introduced and their usefulness verified. Changes made for mitigation will be reflected in the EWIS database and box L analysis can be rerun.
•
Box P. Documentation of the EWIS safety analysis will be contained in the in the bundle section report (physical failures) and the failure matrix report (functional failures).
22
FIGURE 13. FLOWCHART FOR PROPOSED 14 CFR 25.1705 ADVISOR MATERIALS
23
ROUTINE AND ABNORMAL OPERATION AND MAINTENANCE. There are several aspects of both routine and abnormal operations and maintenance that are considered in a safety analysis. The most basic is that standard operation is taken into account throughout the safety analysis process. This starts with the FHA and continues with the PSSA and SSA. While the system fault trees are kept as general as possible (i.e., all phases of flight), it is sometimes necessary to analyze one phase of flight separately from the others to show compliance. Once the EWIS data has been entered for one phase of flight, a new model can be created by saving the old model with a new name and then making the necessary changes in the model that reflect the second phase of flight. Abnormal (or emergency) operation is integrated into the safety assessment from the start of development with the design of the system architecture and critical systems. Critical systems are required to have higher reliability numbers such that the 14 CFR 25.1309 goals are met. This is often accomplished using redundant systems (or equipment) so that when the primary system cannot perform a vital function, a secondary system is available. In this way, the critical function will be performed, unless both the primary and secondary systems have failed. In the safety analysis, it is important to show that these systems are independent (an event that makes the first system fail is unlikely to also cause the malfunction of the second system). A characteristic of independent systems is that they are not collocated; this includes the routing of the associated EWIS. The collocation analysis can identify any bundle section in which redundant systems are routed together. Collocation analysis can be run at the system, subsystem, failure effect, individual wire level, or any combination of these. When a bundle section report is generated, each collocated system and subsystem in the bundle section is displayed with collocated systems denoted. The user must comment as to the safety of the routing in general and justify any collocated redundant systems. Routine operation and maintenance also enter the safety assessment in the form of preflight checks and certification maintenance requirements (CMR). These actions limit the exposure time, (τ), of aircraft to component failures. The system faults use the exposure time in the calculation of basic event probabilities. The EWIS tool reflects the operational and maintenance checks by requiring that the users enter the expected time to detection (the exposure time) of each EWIS failure. The effect of operation and maintenance on the failure rate of EWIS components is not considered in the cases that were examined in the industry survey. A general probability for EWIS failures is used regardless of operation and maintenance traffic near a given bundle. Examination of the SDR database indicates that wire in the emergency path lighting system, which is exposed to high levels of operational traffic, has a much higher probability of wire failure in general. When the EWIS tool calculates the probability of failure, it considers several operation and maintenance related fields including: • • • •
Maintenance/operational traffic Operational temperature Bundle protection (conduit, etc.) Various fluids exposure
24
The next section discusses how these factors, and others, are used to calculate failure rates for different EWIS failure modes. Inclusion of the effects on routine and abnormal operations and maintenance in the probability calculation will make the safety analysis more realistic, and will allow the user to consider these factors when routing the system wires in the EWIS. FUNCTIONAL FAILURES. Historically, safety analyses do not address EWIS failure fully or at all. In safety analyses that address EWIS failures directly, random EWIS failures are treated as basic events that enter into the bottom of system fault trees. The failure rates used are of the order of 10-7 /flight hour (for both connector and wire failures). These rates come from standard reliability databases that are not aviation specific; therefore, their applicability to failure rates aboard aircraft is uncertain. The EWIS RAT support the creation of basic events by guiding the user through a FMEA-type analysis for all of the wire and connector elements. For a wire in a bundle section, there are three modes of failure considered: • • •
Opens Short-to-ground Wire-to-wire short
The third failure mode wire-to-wire short can produce different effects depending on the voltage and power for the wires that are shorted. For example, the effect on a system that has a wire shorted to a ground wire may be different than if one is shorted to a wire carrying 115 Vac. Therefore, the wireto-wire short mode of failure is further divided into additional modes of failure. The modes of failure for a wire that carries 28 Vdc are as follows: • • • • • •
Open Short-to-ground Short-to-wire at 28 Vdc Short-to-wire at different Vdc Short-to-wire at Vac Short to signal wire
The tool does not consider high or intermediate resistance shorts and opens. While it is possible that these failure modes may result in different failure effects than hard shorts and opens, it was thought that the complexity added by including additional failure modes would outweigh the possible benefit. For each failure mode, the user will be asked to supply the effect for each of the failure modes on the functioning of the system. EWIS failures that produce the same effects are grouped in a FMES event. This FMES event can be used as a basic event in the system fault tree as a new effect, or as the EWIS contribution to an existing basic event.
25
To be useful in system fault tree, EWIS components must have a probability associated with the different failure modes. For the fault trees that were examined in the industry survey, as well as in the ARP 4761 guidance material, the probabilities were found using the exponential model, generally using the λτ approximation, where λ is the failure rate (for a given mode) and τ is the exposure time. The failure rates are calculated from data in the Failure and General Information Database. The exposure time is the increment from when the operator knows the component is good until the next time the component’s function is checked. This is often the average mission (or flight) time, if a component is checked during preflight tests. The support for generation of basic EWIS events for insertion into system fault trees is done in the failure matrix analysis. The content of these basic failure matrix reports is a listing of all of the system functional failure basic events that can be caused by EWIS malfunctions. The probability of a basic event occurring is listed with the basic event. This basic event can be inserted directly into the system fault trees along with its probability. In addition, under each basic event, all of the local occurrences, caused by EWIS failures that result in the basic event, are listed with their associated probabilities. Local events are failures that are too narrow in scope to be represented in the fault tree, if its size is to be kept reasonable. The detailed failure matrix reports extends the basic report by listing the individual EWIS components failure mode and probability under the local event. Thus, the failure matrix report can be used as documentation of the EWIS function failure analysis during the certification process. The user of the tool will do a thorough and complete evaluation of all possible EWIS basic failure events. The analysis will be done in a straightforward manner that can be reviewed easily for completeness. The addition of zonal and routing dependent probabilities will allow the user to investigate the effects of different routing paths on the probability of failure. Multiple wire failures constitute a possible failure mode in the EWIS. However, analysis of multiple wire failures is not easily done in a rigorous way using FMEA analysis. One would like to address each of the possible failure configurations. However, the extremely large number of possible configurations of multiple wire failures makes this practically impossibile. Work continues on how to limit the scope of the analysis while still making it effective. Until then, multiple wire failures must be dealt with common cause analysis. UNINTENDED CONSEQUENCES OF FAILURE. In addition to the random discrete events described above, a significant issue with EWIS is that damage due to an EWIS failure (or external trauma) can affect two or more wires, and therefore, possibility more than one system at the same time. ARP 4761 outlines methods to perform a CCA to ensure that multiple wire failure will not pose a threat to safe flight. The analysis is generally qualitative in nature. In the past, the extent to which CCA must be applied to the EWIS has not been spelled out in the regulations. Examples of CCA that have been applied to EWIS include:
26
•
Considering the effect of the loss of entire wire bundles that are routed in an engine rotor burst debris field. This leads to the routing of redundant systems in separate bundles in these areas.
•
Analyzing the effect of an unmated connector, i.e., loss of all systems in a particular connector.
•
A CCA that leads to system architecture such that power wires, having as a source the left or right generators, will be routed independently on separate sides of the aircraft. Right- and left-hand power wires only cross to the other side of an aircraft to power redundant systems. They are routed in the same bundle only if there are spatial limitations.
Note that in the industry survey, it was found that these analyses are not universally performed in the safety analysis. The EWIS RAT program allows the following collocation analyses to be preformed, and it produces a report of the results: a.
Comparative report. This report allows for collocation analysis between any wire, system, subsystem, or bundle section with any other wire, system, subsystem, or bundle section.
b.
System report. This report allows for the selection of a single system and generates a report displaying those components (bundles, connectors, etc.) of the selected system that are collocated with other systems.
c.
Subsystem report. This report allows for the selection of a single subsystem and generates a report displaying those components (bundles, connectors, etc.) of the selected subsystem that are collocated with other subsystems.
d.
Bundle report. This report allows for a selection of a single bundle section and generates a report displaying those wires (divided by system and subsystem) that are in the given bundle section.
e.
Zonal report. This report allows for a selection of a single subzone and generates a report displaying those components (bundles, connectors, etc.) that are located within the given subzone.
f.
Fault report. This report allows for a selection of two faults and generates a report where, if both the selected faults can be found in the wires that are connected to a component or are in the same bundle, the component or bundle in question will be displayed indicating a collocation between the two faults.
g.
Multiple fault report. This report allows for the selection of multiple EWIS\functional level faults and generates a report displaying all of the wires that can cause the selected
27
faults. The wires are grouped by bundle sections where the wires are contained, and to which connectors\devices the wires are connected. In addition to the more directed reports describe above, the bundle section reports are designed to give a full description of all of the bundle sections that have been entered into the model. The bundle section report not only provides information on the bundles damage potential and arcing potential, but also the contents and routing of each bundle section is examined and analyzed. The analysis of each bundle section yields a listing of questions that have been developed and compiled from several wire safety and routing documents. The reports are designed to be completely interactive and allow the user to fully explain circumstances that may have risen to a bundle safety question that need to be asked. The EWIS RAT enhances the effectiveness of performing CCA on EWIS and thereby faces issues of common mode and cascading failures in several ways. a.
Because the whole EWIS structure is represented in the EWIS collocation database, queries can be made simply and at the bundle, 6″ around the bundle, or zonal scope. The results will be more complete.
b.
One of the objectives of the ARP 4761 common mode analysis is to validate the independence of the input failures in the “and” gates of the system fault trees. Using the multiple fault collocation analysis, the user can determine if EWIS failures will reduce the independence of the input events due to collocation.
c.
The bundle section report will ensure that all possible issues with collocation have been recognized and addressed throughout the entire EWIS.
d.
The collocation analysis in the EWIS tool examines the collocated system, not only at the connectors, but also throughout the bundle sections. It is possible that systems sharing a common connector will still have wire routed together.
As the EWIS data are entered into the RAT database, specific system, power, and zonal information (e.g., location of fuel lines) is required of the user so that compliance SFAR 88 can be shown. EFFECTS OF COLLATERAL DAMAGE TO COLLOCATED SYSTEMS AND EQUIPMENT. In addition to functional failures, cascading, and common mode failures, the EWIS has the potential to cause damage to itself and equipment surrounding it through electrical discharges and arc tracking.
28
The industry survey showed that this potential damage is considered in the following ways: a.
Power feeder wires are routed separately from other wires
b.
In some cases, power and signal wires are routed in separate bundles
c.
Industry standards require that wire bundles are not clamped to fuel, hydraulic, or oxygen lines
d.
The SFAR 88 requires all wires that feed directly into fuel tanks or are located near fuel tanks be routed only with other wires that can only carry very little power.
The EWIS tools use the damage potential analysis that gauges the amount of damage that an EWIS failure may generate. The analysis examines the power wires in a bundle and uses experimental data along with parameters, such as wire gauge and insulation type, power source and voltage, and circuit protection (rating and type), and then it assesses the potential damage. When this is combined with a collocation and zonal analysis, the user can assess the effects of collateral damage from EWIS failures. The effects of new technology, such as arc fault circuit breakers, can be integrated into the experimental damage charts used in the analysis. There are four different types of damage potential reports. a.
Bundle damage potential report. This report provides the result of the damage potential analysis on either a single, selected bundle, or all bundles at once.
b.
System damage potential report. This report provides the result of the damage potential analysis on a single system. The report will then include the damage potential information on all bundles where the selected system is contained.
c.
Subsystem damage potential report. This report provides the result of the damage potential analysis on a single subsystem. The report will then include the damage potential information on all bundles where the selected subsystem is located.
d.
Fault damage potential report. This report provides the result of the damage potential analysis for all bundles where at least one of the wires has the selected fault. The report will then include the damage potential information on all bundles where the selected fault is found.
In the bundle section report, the potential damage analysis is determined for each of the bundle sections. Thus, the amount of damage that an electrical event could cause to that bundle section, surrounding bundles, or equipment must be evaluated when the safety of that bundle section is considered. Mitigating techniques may be required to guarantee that a bundle section poses no safety concerns. The data for damage potential are relatively scarce, and there are many combinations of wire/circuit protection combinations where there is no information. Some data can be
29
interpolated; however, more data from the field and laboratory will be needed to complete the potential damage charts. AGE-RELATED DEGRADATION. Currently, aging of EWIS elements is not considered in the safety analyses that have been reviewed. In general, ARP 4761 directs if aging is an issue that will change the failure rate of a component, then that component should be scheduled for replacement before higher failure rates are experienced. While there is evidence that aging does occur in EWIS systems, at present there are no scheduled maintenance or on condition requirements for the removal and replacement of wire for commercial aircraft. One element that complicates the EWIS aging issue is that while aging is a primary cause for insulation to crack, the wire itself can continue to function correctly indefinitely. Thus, aging does not lead directly to functional failure. However, it does lead to an increased chance of failure. This increases the uncertainty in the results of a cost-benefit analysis of pre-emptive wire replacement. The EWIS tools allow the user to consider aging when evaluating the failure probability of wires. The aging models are dependent on insulation type, routing, (curvature, etc.), and environmental conditions (by zone). At present, the only well-defined aging model for insulation in use for typical airframe wire is a hydrolysis model for an aromatic polyimide. Further, models can be added to the tool as they are developed using field data and laboratory aging studies, such as the FAA research project on wire degradation. The result of the aging model will be an increase in the probability of failure as the age of the airplane increases. These new failure rates can be used as the basic events in the fault trees. If the overall probability of a top event increases to an unacceptable level due to an increase in EWIS failure rates, then inspection or maintenance actions should be scheduled (i.e., CMRs). While bringing aging into the safety analysis will increase its reliability, there are issues that make this difficult. Modeling the aging of polymers is a very difficult problem in general, and models based on laboratory results often disagree with field results. To help the modeling gain acceptance, the laboratory results are compared with field data. •
In the future, wire aging effects could be integrated easily into the failure matrix analysis to obtain the changes in failure probabilities for all of the EWIS failure basic events as the aircraft ages.
EVALUATION OF SUBSYSTEM TRADEOFFS OR OTHER CONTROL METHODS. In general, system tradeoffs and control methods are used as necessary so that top events in the system fault trees meet the probability budgets that were allocated in the PSSAs. If a particular system cannot meet its budget while a second system can, then budget requirements may be reallocated. If not, mitigation methods such as redundancy are used to meet the probability criteria. In the CCA (preventing single point failures), the most used control method is redundancy with separation. 30
The EWIS RAT is compatible with this with type of evaluation. Failure probabilities for EWIS and non-EWIS components can be evaluated side by side and the benefits of tradeoffs investigated. The effects of environment and routing are used in the calculation of failure rate. Therefore, different routing paths can be compared as to the effect on overall system failure rates. If an EWIS failure rate is found to be higher than desired, the user will be able to query the results to find the EWIS components responsible for the higher probability numbers. Credit can be taken for mitigating factors, such as arc fault circuit breakers, separation, and barriers (conduit, Teflon® tape, etc.), in the damage potential and zonal analyses. This may allow system routing that otherwise would not be permissible. USE OF AIRCRAFT DESIGN INFORMATION. Most of data needed for the EWIS model database is available from the OAMs. However, it is not collected into a single database, and thus exists in different locations within that organization. Wire data and systems information are located in circuit diagrams. Bundle content information exists with the bundle design and manufacturing groups. Routing data are contained in installation drawings. Zonal information is found in maintenance data. At this time, the different data sources are not easily combined. However, as more and more data are stored digitally, it will be easier to bring this information together. The effect of EWIS failures on connected systems can usually be found in the FMEA data of the systems themselves. EWIS failure modes often mimic the failure of system components. For example, an open wire will have the same affect as a switch that fails to open or a relay that cannot close. Some EWIS failure modes may be unique, and the user will have to determine the correct failure effect. There may be several uses for EWIS data that is collected into a single database besides its use in the TC safety analysis. The EWIS data could be distributed to aircraft owners and operators like circuit diagrams are today, after satisfactory arrangements are made with the OAM. Safety analysis for modifications could use these data and the EWIS modifications could be recorded in the database again, with proper consideration of the OAM. Currently, it is uncertain how complete the zonal information will be since temperature and vibration data can be difficult to obtain. The EWIS tool allows for a default response when data are unavailable. DETERMINING THE SEVERITY OF THE FUNCTIONAL AND COLLATERAL FAILURE. The failure condition severity classification (i.e., catastrophic, hazardous, etc.) of a basic event is determined by its effect on systems and how these are used to perform aircraft level functions. This relationship is determined in the construction of the system fault trees. For example, in one case, the failure of a particular wire (Event A) may be a minor event. However, if the failure occurs in combination with another, possibility non-EWIS event (Event B), then the 31
consequence may be hazardous. Therefore, the severity for the different modes of EWIS components failure will not be required data to be entered by the user. The user will determine if the failure effect caused by an EWIS failure is a basic event in the system fault trees. This will alert the user that the failure effect is safety significant; however, the fault tree will determine the severity of the event. The damage potential analysis determines the damage that may be caused by EWIS failure. The severity of the damage to aircraft level functions will be assessed by the user after considering the collocated systems and equipment. RISK ANALYSIS TOOL FOR TC AND STC APPLICATIONS. Referencing the discussion of the previous items, the risk analysis tools could be used when performing safety analysis on the EWIS in both the SSA and CCA. The failure matrix report and bundle section report will allow applicants and regulators to look at the safety analysis of the whole EWIS, as opposed to the analysis being scattered throughout the safety analysis for many other systems. The tool does require that the EWIS routing, failure effect, and zonal condition data be entered into the EWIS RAT database. At the OAM level, these data are known, although the knowledge may be scattered in different departments and not in a common database at this time. For example, the different systems group knows which wire belongs to their system through the circuit diagrams. Those who make the bundle know which wires are in each bundle, and the installation personnel know in which zones the bundles are installed. For STC applicants modifying a legacy aircraft in which EWIS data for the existing wire bundles are not known, the tool only can be applied to the wiring that the STC is adding to the airplane. It is generally agreed in the aviation community that wire added by the STC should not be routed with existing wire unless the functions of the existing wire can be determined. In this case, the EWIS RAT results will be a valid safety analysis. If the STC requires routing of wire with an existing bundle in some areas due to space limitations, the STC applicant will need to obtain data on the systems routed in the bundles to use the risk analysis tool. However, if detailed information regarding the voltages and power of each of the wires in the existing bundle is not obtainable, then the tool supports using a typical bundle in the failure matrix analysis. In the typical bundle, wires carrying various voltages are assumed by the tool, and the wire failure mode and effects part of the STC EWIS safety analysis is completed with these assumed wires. Therefore, the full range of failure modes is examined for the STC wire. If investigation of the wire bundle determines that a certain type of wire (e.g., 115 Vac) does not exist in the existing bundle, then the typical bundle can be made to reflect this. After the EWIS data of a airplane is entered into a database, such as the one found in this tool, that information can be transferred from one organization to the other. Whether the database is part of the delivery package, similar to what is done currently with circuit diagrams, or another arrangement is made, it would be possible for the knowledge that resides with the OAM to be distributed to other interested parties such as STC shops and maintenance departments. Another possible use for a database similar to the one in the risk analysis tool is that it could be employed to aid in troubleshooting failed systems by maintenance personnel. Queried for a given failure effect, the database could return a list of wires and the failure mode that could cause the 32
observed system failure. The tool also could give the zone and connector information to locate the wire. This possible use of the database has not been developed in the tool at this time. BETA TESTING The following trial runs with appropriate parts of the EWIS RAT were run or reviewed by the following organizations or persons: a.
b.
A manufacturer of a major portion for the United States fleet of 14 CFR Parts 23 and 25 aircraft participated in the development of the tool, and ran portions for a type that has been designed for well over 25 years. At the same time, a new aircraft reached the culmination of a 4-year effort in obtaining its TC by this same group. The tool was run on a significant portion of the electrical distribution system with selected wires from collocated systems (~85 wires total). The personnel of the OAM were cognizant of the implications for the EWIS RAT tool. These have been integrated in the work presently completed or planned for future programming. The OAM had the following concerns: •
There is a potential to reduce the cost and time in preparing a TC EWIS safety analysis.
•
The data entry is time consuming and methods of streamlining this procedure would increase the value of the tool.
An ACO with significant EWIS experience reviewed an early form of EWIS RAT. This reviewer was particularly important, as he had been one of the authors of a new FAA job aid for establishing wiring practices. This job aid is directed toward reducing the probability of wiring failures. His findings were: •
The collocation analysis could act as an EWIS zonal analysis in terms of finding redundant systems routed in the same bundles.
•
It may be useful in systematically documenting the effect of hard EWIS failures on system function.
•
There are doubts as to the validity of using EWIS failure probabilities in fault trees due to their strong dependence of the particulars of installation.
•
The aging model could be useful in setting time interval for CMRs for the EWIS
c.
The FAA Airport and Aircraft Safety R&D Division COTR and aging aircraft electrical system manager have had various DERs review the use of the program.
d.
The log data in a small fleet of Boeing 737s were reviewed with respect to implications for the use of the tool.
e.
A DAR has reviewed the program with regard to points of concern with manufacturing airworthiness and in relation to DER reports pertaining to demonstration of conformance to 14 CFR 25.1309. 33
f.
Demonstration runs of older aircraft have underlined the necessity of establishing a database of wiring schematics, operational effects, cable layouts, and cable installation. The work required to do this has been of great concern to some trial users. On the other hand, regularizing these inputs of data, which is presently kept in many different places and forms, appears to be feasible and promises to improve communications amongst various operating, design, and maintenance functions. The work has been done, but lacks, in some groups, an organized approach that would be rectified by the fitting of the existing data to this tool.
g.
The EWIS RAT software has been introduced to various potential users and three concerns are generally expressed and are addressed below. • • •
Who will enter the EWIS data into the database? What is the validity of the data? What is use of the tool?
It is envisioned that the TC or STC applicant will enter the data into the database. For the TC applicant, the data is available within the organization. However, it may be scattered in different parts of that organization. This is generally true for the STC applicant who is routing wire in separate bundles. If the data is not in an electronic format, entering the data by hand will be labor intensive. Data that is in electronic form can be loaded directly into the database, if it is in the correct format. Algorithms can be created to aid this process. Once the EWIS database is completed for a particular aircraft, it would be of value to anyone working on the airplane. The data is based on historical SDRs and a paired comparison technique using expert opinion. At this point, the failure rates must be considered in an early stage of development. However, with refinement of the paired comparison technique and an increase in the historical data analyzed, the validity of the data will improve. A similar situation exists for the damage potential analysis data (damage due to electrical discharge and arc tracking) and aging analysis data. Results and models created from FAA research programs ongoing in these areas can feed into the tool’s database. The main use for the tool will be to assist in the safety analysis that is performed for TC and STC approval. There are also maintenance applications for the EWIS database. The demonstration and cooperative development of a standardized and structured approach appears to have significant advantages compared to the many different procedures used by the various parties of interest. This has been dramatically illustrated by the various responses to the use of the existing privately developed and commercial computer software for Boolean algebra fault trees. It is expected that the EWIS RAT program will continue to be refined in view of the advantages of a codified and step-by-step approach to risk assessment.
34